Human Firewall Conference 2023

I heard about this conference while I was at the Infosecurity Europe 2023 conference and registered my interest.  Attending this conference was a surprise, as I had put the dates in my diary for 16 - 17 October and then found I was too busy to attend.  In November I started getting emails telling me to register for the online platform, and ignored them until I got an email saying "we start in 15 minutes".  Realising my mistake (wrong month), I opted to have the conference on in the background while working.  This post is a summary of my notes over the 1.5 days.

I wasn't able to attend all the sessions due to other commitments, but managed to attend the following:

  • Artificial intelligence vs intelligent humans - cyber heroes assemble!
  • Putting cyber security into context
  • (Panel) A new era of cybercrime?  Impact of geopolitics, new technologies & digitalisation on cyber security
  • Top management in cyber security - why cyber security should be positioned as a business priority
  • On the digital frontline - ransomware, threat actor communication & building human resilience
  • FBI's most wanted - how a crypto-scammer stole 4 billion euros & vanished
  • (Panel) Hidden champions - best practices from security awareness leaders
  • Attacker mind games
  • (Conference closure) The future of cyber security - preparing for what's next

Recurring themes

I was keen to attend this conference because it dealt exclusively with the human side of cyber security.  While, no doubt, there were products shared that look to help your users become more aware (hence "human firewall"), this didn't appear to be another conference selling yet another technological tool to solve the problem.  A key recurring theme was helping friends, colleagues, and loved ones to be more aware of security threats and the steps they could take to reduce their risk.

"Artificial Intelligence" (AI) came up a lot, very much a technology that's important in 2023.  The speaker graphics for their welcome slides were actually an AI's artistic impression on the speakers based on their photographs.  It's important to consider how AI is being used as part of the attack chain to gather information on the target, so attack messages are more plausible and have more credibility.

Interestingly, cyber security exercising / wargaming (table top exercises and simulations used to practice an organisation's response) came up often.  I'm due to run some of these exercises for my employer later this year, and I've written a series of posts on wargaming previously.  It was reassuring to see this was a recurring theme given the time I'm about to invest in it.

Artificial intelligence vs intelligent humans - cyber heroes assemble!

A worrying statistic was that research shows security professionals don't expect the security threat landscape to ease in the next 12 months.  Email remains a key attack vector, and AI tools are being used by malicious actors to help generate initital emails.  The attack chain can now include using an AI tool to scrape the target's social media or LinkedIn profiles and then generate messaging that has more credibility, thus increasing the chance of an attack succeeding.

As an example of this attack chain, we saw how a social media profile was examined, a call script generated, and a voice message left for the target explaining that "an email was on the way to talk about this opportunity".  To sound more like a human, the voice message had pauses and "er, um" added in.

Putting cyber security into context

This talk was given by John Noble, a former National Cyber Security Centre director, and looked at the geopolitical side of attacks as well as the changes in techniques.  John reaffirmed the previous talks findings that AI tools were being used to scrape Internet content, and highlighted that it's able to look at decades worth of data, so was all the more powerful.

We heard how "we're still getting the basics wrong", particularly thinking about how slow people are at patching, and how Multi Factor Authentication (MFA) adoption is low.  In particular, I thought this quote was interesting:

If you don't have MFA, you deserve to be breached.

This wasn't the speaker wishing ill on an individual or organisation.  Instead this was to highlight how MFA is an increasingly uncomplicated thing (code generators, push notifications, etc.) so there really wasn't any excuse for not using it.

Other complications flagged when thinking about the basics were the fact that some networks are overly complex, or legacy equipment has to remain in use but isn't then protected.  Mergers and acquisitions mean that staff are disgruntled (insider threat increases) or are laid off, reducing the knowledge on an organisation's systems.  IT and security staff also often lack the skills needed to adequately defend against threats.

When attacked, organisations often see the incident as a one off issue - just them.  In the NCSC's experience, the attack is often part of a wider campaign, perhaps targeting organisations in a particular industry.  Ransomware as a Service is growing, supported by teams that specialise in gaining initial access to systems and then selling that access on.

Geopolitical tensions often change the targets of an attack, and it's important to consider that when planning defences.  Attackers often play the "long game", gaining access to a system and waiting.  Sometimes if detected, the attacker will just go dormant for a while before continuing.

Sounds like we need to be getting the basics right...

A summary of panel sessions

I've rolled the panel sessions together for this blog post, as there were some overlapping points and they were more of a discussion than a talk.

It'll come as no surprise that as a result of the pandemic we're more digitally dependent.  As security professionals we need to support friends, colleagues and loved ones in getting the basics right - encourage them to update their devices so they are harder to attack.  I found it interesting that the younger generations were the biggest risk - older folk tend to be more sceptical.

Several panels and sessions talked about the impact of paying ransoms, notably that if people pay the ransoms will continue.  I've written about paying ransoms before, and it was remarked that sometimes paying is the only option (e.g. if the business was going to close otherwise).  We were reminded that rebuilding systems and networks is not quick, or free, so everything has to be considered.

When it comes to organisations, there's a feeling that the board still isn't aware enough when it comes to security.  The speaker making that statement had reviewed the attendee job titles and there wasn't a single board level person at the conference.  As security professionals we need to ensure communication between the security team and the board is a two way dialogue.  It may help to send information to the board in terms of "problems we've avoided" rather than "here were the issues we had to react to".  Metrics such as "we blocked 3,125 spam emails last month" are unlikely to be useful.

Remember to tie security objectives back to business goals.  Also remember that if something does go wrong it's not the CISO, SISO, or security team's fault.

Supply chain security was discussed, reminding us that "you can be secure, but if the people either side of you aren't you still have a problem".  This then led to a discussion about how companies often don't share their post-incident learning.  If they did then others could benefit.

It was suggested that restricting access for your users may not be the best approach, instead putting in place "guard rails" to help them operate safely.  If a person meets an obstruction they'll often look for a way around it, whereas if they're able to proceed safely that may be a better overall result.  We were also reminded to ask our colleagues to do as few security things as possible:

One thing they will do, ten things they will not.

On the digital frontline - ransomware, threat actor communication & building human resilience

This was an interesting discussion on what happens for an organisation during a ransomware incident, and particuarly after dedicated response companies are called in.  My biggest take away from this session was the need to watch out for the wellbeing of your colleagues during an incident, and to help minimise the impact on them.  After-incident care is also important.  Evaluate not only the technical impact but also the human impact.

An interesting statistic based on the speaker's research:

Impacts on people can include Post Traumatic Stress Disorder (PTSD) (45%) or staff that go and look for another job (34%)

FBI's most wanted - how a crypto-scammer stole 4 billion euros & vanished

Jamie Bartlett of The Missing Cryptoqueen fame (a book and podcast series on the BBC) opened Friday with a talk about how people were fooled into investing in a fake crypto currency.  Having heard Jamie's podcast I knew he'd be an engaging speaker, and he did not disappoint.

Jamie took us through psychological techniques such as affinity fraud, where a scammer uses their credentials (PhD, past accomplishments) to sound more credible to their victim.  He touched on AI being used to scrape profiles, but also mentioned that we could use AI to help defend ourselves too.

If you are able to, I recommend listening to the missing cryptoqueen podcast, or reading Jamie's book.

Attacker mind games

The final keynote of the conference, and our speaker talked about techniques they use to negotiate with attackers such as ransomware gangs, as well as techniques attackers use against us.  Sometimes a scammer will send a message unprompted claiming to have an organisation's data, even when there's been no breach, perhaps claiming they'll send the data to a competitor if there's no payment.  After a quick poll of attendees, the speaker demonstrated that a competitor was unlikely to buy your data, as that would mean they had broken the law.

As part of a negotiation, sometimes the victim can arrange a lower payment because "we're part way through restoring already, why would be pay you so much?".  Regardless, the speaker said to only pay if there was a business case for doing so.

We were reminded of two other really important points:

  • Security professionals are not "protecting IT", they're protecting the business - an IT outage is a business outage, and should be owned by the business
  • If social engineering was successful, it's not the fault of the victim, but of the system that allowed the malicious message through

Overall

On the whole the conference was interesting to attend, and the event was free to attend online.  Thanks to SoSafe for organising the conference and making it available.  Personally, I didn't find the panel sessions too useful (possibly because I was multi-tasking) but I would comment that it was disappointing that all the panel sessions I saw were "manels" - men only panels.  Hopefully due to availability of speakers and not anything else.

SoSafe are looking to run the conference again next year, so I'm hoping to attend again online if I'm available.


Banner image: Human Firewall Conference "H F CON" logo, by SoSafe.